The regulatory foundation that led here

Vietnam's path to AI-specific legislation started with Decision No. 127/QĐ-TTg, signed on January 22, 2021 — the National AI Strategy targeting Vietnam as a top-four ASEAN country in AI research and application by 2030. That strategy acknowledged AI governance as a prerequisite, not an afterthought.

Personal data protection followed with Decree No. 13/2023/NĐ-CP (April 17, 2023), which for the first time codified obligations for processors of Vietnamese personal data, including consent requirements and cross-border transfer restrictions. Combined with the data localization provisions of the Cybersecurity Law (No. 24/2018/QH14, Article 26), these instruments created the compliance infrastructure that AI Law 2026 now builds on.

The 2026 legislation arrived alongside similar frameworks globally — the EU AI Act (adopted June 2024), Singapore's Model AI Governance Framework, and the OECD AI Principles — giving Vietnamese regulators a well-established risk-tier architecture to adopt rather than invent.

The three risk tiers — and what they require

AI Law 2026 classifies AI systems into three tiers based on their potential impact on individuals, organisations, and critical infrastructure:

Risk Classification Summary
  • Tier 1 — High Risk: AI systems making or significantly influencing decisions in credit scoring, hiring, healthcare diagnosis, law enforcement, and critical infrastructure. Requires pre-deployment risk assessment, explainability documentation, board approval, and registration with the Ministry of Science and Technology.
  • Tier 2 — Limited Risk: Customer-facing AI including chatbots, recommendation engines, and document automation. Requires transparency disclosure (users must know they are interacting with AI) and incident logging.
  • Tier 3 — Minimal Risk: Internal productivity tools, spam filters, AI-assisted analytics with no autonomous decision-making. Standard operational governance applies.

The critical boundary for most enterprises is between Tier 2 and Tier 1. An invoice processing system that routes invoices to queues is Tier 2. The same system configured to autonomously approve payments up to a defined threshold crosses into Tier 1 territory — and that distinction carries entirely different compliance obligations.

What board approval actually means

"Board approval is not a checkbox. The law requires named individuals, documented risk assessment, and a record that can be produced during an audit."

For Tier 1 systems, the law requires that a designated senior executive — at minimum a C-suite or board member — reviews and approves a formal AI Risk Assessment Document (ARAD) before deployment. This document must include:

McKinsey's 2024 State of AI survey found that 72% of respondents' organisations had adopted AI in at least one business function, but only 21% had formal governance processes covering AI risk. For Vietnamese enterprises deploying AI in regulated sectors, that gap is now a legal exposure.

Which systems you already have that need reclassification

Most enterprises that have been running AI tools for 12–24 months will find they have Tier 1 systems operating under Tier 2 assumptions. Common examples:

The Ministry of Science and Technology has indicated that existing deployments have a 12-month window to bring documentation into compliance. That window runs from the law's enforcement date. Organisations that cannot produce an ARAD for a Tier 1 system during an audit face fines and a mandatory suspension of the system pending review.

The documentation gap most IT teams miss

Most enterprise AI vendors provide model cards and technical documentation adequate for their internal engineering review. What they do not provide — and what the law requires — is audit-ready explainability in Vietnamese, accessible to a compliance officer without a data science background.

Explainability under AI Law 2026 means two things: local explainability (why did the system produce this specific output for this specific input) and global explainability (how does the system behave across the population of decisions it makes). Both must be logged, retrievable, and presentable without needing the original development team in the room.

This is where vendor lock-in creates compliance risk. If your AI runs in a black-box cloud service and the vendor cannot produce Vietnamese-language explainability records on demand, you are the entity that bears the regulatory liability — not them.

What to put in front of your board now

Before your next board meeting, legal and technology leads should jointly prepare a three-page AI Inventory Summary covering: all AI systems in production, their risk tier under the 2026 classification, the current documentation status, and the compliance gap and timeline to close it. That document, once reviewed and signed by a board member, becomes the foundation of your ARAD.

Organisations that treat this as a one-time filing exercise will fail their second audit. The law requires continuous monitoring, annual re-certification for Tier 1 systems, and a 72-hour incident reporting obligation when an AI system causes or contributes to material harm.

Sources

Decision No. 127/QĐ-TTg — Vietnam National AI Strategy, Ministry of Science and Technology, January 22, 2021.

Decree No. 13/2023/NĐ-CP — Personal Data Protection Decree, Government of Vietnam, April 17, 2023.

Law No. 24/2018/QH14 — Cybersecurity Law of Vietnam, National Assembly, June 12, 2018.

EU AI Act — Regulation (EU) 2024/1689, Official Journal of the European Union, adopted June 2024.

McKinsey & Company — "The State of AI in 2024," McKinsey Global Survey, May 2024.

OECD Principles on Artificial Intelligence — OECD/LEGAL/0449, adopted May 22, 2019.